Lawfare Archive: CYBERCOM Legal Conference – The Role of the Private Sector in Conflict

Podcast: The Lawfare Podcast
Date: October 26, 2025 (original panel: April 24, 2024)
Host: Natalie Orpet (Executive Editor, Lawfare)
Panelists: Jonathan Horowitz (ICRC Legal Advisor), Laurie Blank (Special Counsel, OGC DoD; Professor at Emory Law), Adam Hickey (Partner, Mayer Brown; former Deputy Assistant Attorney General, DOJ)

Episode Overview

This episode features an insightful panel discussion from the 2024 US Cyber Command Legal Conference, focusing on the complex and evolving role of the private sector in the context of armed conflict—especially with regard to cyber conflicts and digital infrastructure. The panelists—representing expertise in international law, private sector legal practice, and humanitarian legal frameworks—explore key legal, practical, and ethical considerations that arise when private companies become entangled in conflict or serve as intermediaries between government and adversarial actors.
The conversation journeyed through pre-crisis “steady state,” escalation phases, and full-fledged armed conflict, always returning to the importance of clear communication, education, and trust between government and private sector actors.

Key Discussion Points and Insights

1. Setting the Stage: The Pre-Conflict Baseline

[02:51–15:25]

Government and private sector actors often have different vocabularies, incentives, and frames of reference.
- Natalie Orpet notes the necessity of learning each other’s “languages” before a crisis hits.
Private Sector’s Steady State:
- Most companies have limited routine engagement with government, mainly for information-sharing related to legal process or threat reports (Adam Hickey, [05:38]).
- The focus is on regulatory compliance (e.g., incident reporting), personal liability (for CISOs), reputation, public perception, and workforce sentiment.
- Reputational risks include concern about perceptions (e.g., in Europe or among customers globally) and workforce hesitancy about the company’s involvement in defense technologies.
- Memorable example:
  
  "Cutting out legal, for example, would be my number one advice for what not to do if you’re looking for cooperation."
  —Adam Hickey ([09:59])
International Law & Managing Expectations:
- International legal frameworks set expectations and thresholds for state action, designed to maintain stability and minimize escalation (Laurie Blank, [10:49]).
- Legal clarity helps both government and private sector actors foresee the range of potential consequences—and avoid unintended escalation.
ICRC’s Evolving Engagement:
- The private sector is becoming an increasingly important stakeholder in conflict zones, given its role in essential digital infrastructure and civilian services (Jonathan Horowitz, [15:25]).
- ICRC sees engagement with private companies as critical for both prevention and risk management.

2. Crisis Escalation: Blurred Lines and New Responsibilities

[19:13–33:17]

Attribution and State Responsibility:
- During crisis or escalation, legal advisors in government and companies must assess who is responsible for hostile activity and the available levers for response (Laurie Blank, [20:24]).
- Distinguishing whether acts are attributable to a state or a non-state actor is crucial—for options like sanctions, countermeasures, or use of force.
- The private sector’s actions may be—intentionally or not—attributable to a state, increasing risk for both company and government.
- Notable quote:
  
  “The flip side of that attribution question is when are the actions...of the folks we’ve been talking about now somehow be attributable to the state on our side? And that’s an equally important...piece.”
  —Laurie Blank ([22:41])
Private Sector Risk Calculus:
- In crisis, companies must balance business priorities with growing risks: personnel safety, legal violations (e.g., sanctions), reputational fallout, or even targeting in kinetic or cyber retaliation (Adam Hickey, [26:24]).
- The tendency is still to optimize for shareholder value, but the calculus grows more complicated as events escalate.
The ICRC’s Legal Warning:
- Private sector must understand that, in some circumstances, their infrastructure could become a military objective; employees could be seen as directly participating in hostilities (Jonathan Horowitz, [28:57]).
- Many companies are unaware that, under international humanitarian law, their people and property could be lawfully targeted if they cross certain lines in conflict.
- Memorable moment:
  
  “Are employees of technology companies engaging in activities that would...constitute direct participation in hostilities? ...It could be a life or death conversation.”
  —Jonathan Horowitz ([31:12])

3. Armed Conflict: Direct Involvement and New Legal Realities

[35:00–47:50]

Types of Government Asks:
- Panelists identify three main ways the government might seek private sector assistance during conflict:
  1. Procurement: Standard contracts for goods/services.
  2. Soft cooperation: Requests for tips, information, or sharing that may lack formal process or clarity.
  3. “Weird asks”: Secret or surreptitious access, potentially high-risk and reputationally hazardous. —Adam Hickey ([35:42])
Risks Beyond Formal Cooperation:
- Many companies risk exposure simply by virtue of operating infrastructure or providing dual-use products; actors in conflict may exploit general-purpose tools (Laurie Blank, [38:47]).
- The integration of civilian and military networks/nodes means companies may be affected even without direct intent.
Insurance and “Acts of War” Clauses:
- Companies may not realize that cooperation with the government or certain conflicts could void insurance policies due to “act of war” exclusions (Laurie Blank & Adam Hickey, [38:55], [44:38]).
IHL Principles Still Apply—But the Cyber Realm Adds Complexity:
- Many of these legal questions—about dual-use objects, direct participation, and targeting—have parallels in conventional warfare (Jonathan Horowitz, [45:04]).
- However, the invisibility of cyber infrastructure and network overlap makes risk harder to perceive or manage.
- Quip:
  
  “That is true to cyberspace, but that is not new to cyberspace.”
  —Jonathan Horowitz ([46:43])
The Challenge of Visibility and Awareness:
- Companies (especially non-experts) may be unaware of their proximity to military activity in the “battlefield” of networks:
  
  “You can see the bridge, you can see the hill.... You can’t see when there’s overlap in the cyber world.”
  —Laurie Blank ([47:50])

4. Building Durable Public-Private Partnerships

[50:17–58:45]

Education and Communication Are Essential:
- Pre-crisis education—establishing shared vocabulary, understanding frameworks, and learning about risks—is vital.
- The key is clear, transparent government communication about what is being asked of private sector entities—especially outside procurement channels (Adam Hickey, [51:17]).
Tailored Engagement:
- Not all companies or sectors face the same risks; dialogue should be specific to the nature of services, infrastructure, and exposure (Jonathan Horowitz, [53:04]).
- Companies should proactively conduct internal audits to assess how their operations intersect with risks of targetability and legal obligation.
ICRC Principles of Engagement:
- The ICRC will engage with all parties (state or non-state) to ensure humanitarian obligations are upheld, regardless of how the battlefield evolves (Jonathan Horowitz, [57:10]).
- The rise of cyber does not fundamentally alter ICRC’s commitment to impartial humanitarian aid.

5. Takeaway “Bumper Stickers”

[59:02–59:46]

Adam Hickey: “I used it on the question—that’s my bumper sticker.”
(Refers to the need for clarity on the “ask”).
Laurie Blank:

“Beware of the line between engaging and all of a sudden bearing attribution and responsibility for.”
Jonathan Horowitz:

“The private sector has protections under international humanitarian law. It can lose those protections, and it also has obligations. Read the Geneva Conventions, read the Additional Protocols, and give the ICRC a call if you have any questions.”

Notable Quotes and Memorable Moments

On the perils of leaving out legal compliance:

"Cutting out legal, for example, would be my number one advice for what not to do if you’re looking for cooperation."
—Adam Hickey ([09:59])
On shifting realities in conflict:

"Are employees of technology companies engaging in activities that would...constitute direct participation in hostilities?...It could be a life or death conversation."
—Jonathan Horowitz ([31:12])
On reputational and legal risk:

"The flip side of that attribution question is when are the actions...of the folks we’ve been talking about now somehow be attributable to the state on our side? And that’s an equally important...piece."
—Laurie Blank ([22:41])
On the need for clarity:

"Plan to communicate transparently in the crisis or in conflict, it’s going to have to look a lot different from the fairly vague...that comes over in steady state periods, sometimes outside of procurement."
—Adam Hickey ([51:17])
On visibility in cyber conflict:

"You can see the bridge, you can see the hill... You can’t see when there’s overlap in the cyber world."
—Laurie Blank ([47:50])

Key Timestamps

Setting the Baseline: 05:38–15:25
Crisis Phase/Attribution: 19:13–28:57
Armed Conflict & Legal Questions: 35:00–47:50
Building Partnerships & Takeaways: 50:17–59:46

Conclusion

The panel underscores the profound, rapidly evolving responsibilities and risks that the private sector faces as vital infrastructure and technology become ever more embedded in both the civilian and military activities of modern conflict. The core message: successful navigation requires education, early and honest communication, an appreciation for the nuances of international and domestic law, and the recognition that lines between private and public, civilian and military, are increasingly blurred—especially in cyberspace. The ICRC, government, and private sector must all adapt, with the shared goal of stability, clarity, and humanitarian protection.

Lawfare Archive: CYBERCOM Legal Conference – The Role of the Private Sector in Conflict

Episode Overview

Key Discussion Points and Insights

1. Setting the Stage: The Pre-Conflict Baseline

[02:51–15:25]

Government and private sector actors often have different vocabularies, incentives, and frames of reference.
- Natalie Orpet notes the necessity of learning each other’s “languages” before a crisis hits.
Private Sector’s Steady State:
- Most companies have limited routine engagement with government, mainly for information-sharing related to legal process or threat reports (Adam Hickey, [05:38]).
- The focus is on regulatory compliance (e.g., incident reporting), personal liability (for CISOs), reputation, public perception, and workforce sentiment.
- Reputational risks include concern about perceptions (e.g., in Europe or among customers globally) and workforce hesitancy about the company’s involvement in defense technologies.
- Memorable example:
  
  "Cutting out legal, for example, would be my number one advice for what not to do if you’re looking for cooperation."
  —Adam Hickey ([09:59])
International Law & Managing Expectations:
- International legal frameworks set expectations and thresholds for state action, designed to maintain stability and minimize escalation (Laurie Blank, [10:49]).
- Legal clarity helps both government and private sector actors foresee the range of potential consequences—and avoid unintended escalation.
ICRC’s Evolving Engagement:
- The private sector is becoming an increasingly important stakeholder in conflict zones, given its role in essential digital infrastructure and civilian services (Jonathan Horowitz, [15:25]).
- ICRC sees engagement with private companies as critical for both prevention and risk management.

2. Crisis Escalation: Blurred Lines and New Responsibilities

[19:13–33:17]

Attribution and State Responsibility:
- During crisis or escalation, legal advisors in government and companies must assess who is responsible for hostile activity and the available levers for response (Laurie Blank, [20:24]).
- Distinguishing whether acts are attributable to a state or a non-state actor is crucial—for options like sanctions, countermeasures, or use of force.
- The private sector’s actions may be—intentionally or not—attributable to a state, increasing risk for both company and government.
- Notable quote:
  
  “The flip side of that attribution question is when are the actions...of the folks we’ve been talking about now somehow be attributable to the state on our side? And that’s an equally important...piece.”
  —Laurie Blank ([22:41])
Private Sector Risk Calculus:
- In crisis, companies must balance business priorities with growing risks: personnel safety, legal violations (e.g., sanctions), reputational fallout, or even targeting in kinetic or cyber retaliation (Adam Hickey, [26:24]).
- The tendency is still to optimize for shareholder value, but the calculus grows more complicated as events escalate.
The ICRC’s Legal Warning:
- Private sector must understand that, in some circumstances, their infrastructure could become a military objective; employees could be seen as directly participating in hostilities (Jonathan Horowitz, [28:57]).
- Many companies are unaware that, under international humanitarian law, their people and property could be lawfully targeted if they cross certain lines in conflict.
- Memorable moment:
  
  “Are employees of technology companies engaging in activities that would...constitute direct participation in hostilities? ...It could be a life or death conversation.”
  —Jonathan Horowitz ([31:12])

3. Armed Conflict: Direct Involvement and New Legal Realities

[35:00–47:50]

Types of Government Asks:
- Panelists identify three main ways the government might seek private sector assistance during conflict:
  1. Procurement: Standard contracts for goods/services.
  2. Soft cooperation: Requests for tips, information, or sharing that may lack formal process or clarity.
  3. “Weird asks”: Secret or surreptitious access, potentially high-risk and reputationally hazardous. —Adam Hickey ([35:42])
Risks Beyond Formal Cooperation:
- Many companies risk exposure simply by virtue of operating infrastructure or providing dual-use products; actors in conflict may exploit general-purpose tools (Laurie Blank, [38:47]).
- The integration of civilian and military networks/nodes means companies may be affected even without direct intent.
Insurance and “Acts of War” Clauses:
- Companies may not realize that cooperation with the government or certain conflicts could void insurance policies due to “act of war” exclusions (Laurie Blank & Adam Hickey, [38:55], [44:38]).
IHL Principles Still Apply—But the Cyber Realm Adds Complexity:
- Many of these legal questions—about dual-use objects, direct participation, and targeting—have parallels in conventional warfare (Jonathan Horowitz, [45:04]).
- However, the invisibility of cyber infrastructure and network overlap makes risk harder to perceive or manage.
- Quip:
  
  “That is true to cyberspace, but that is not new to cyberspace.”
  —Jonathan Horowitz ([46:43])
The Challenge of Visibility and Awareness:
- Companies (especially non-experts) may be unaware of their proximity to military activity in the “battlefield” of networks:
  
  “You can see the bridge, you can see the hill.... You can’t see when there’s overlap in the cyber world.”
  —Laurie Blank ([47:50])

4. Building Durable Public-Private Partnerships

[50:17–58:45]

Education and Communication Are Essential:
- Pre-crisis education—establishing shared vocabulary, understanding frameworks, and learning about risks—is vital.
- The key is clear, transparent government communication about what is being asked of private sector entities—especially outside procurement channels (Adam Hickey, [51:17]).
Tailored Engagement:
- Not all companies or sectors face the same risks; dialogue should be specific to the nature of services, infrastructure, and exposure (Jonathan Horowitz, [53:04]).
- Companies should proactively conduct internal audits to assess how their operations intersect with risks of targetability and legal obligation.
ICRC Principles of Engagement:
- The ICRC will engage with all parties (state or non-state) to ensure humanitarian obligations are upheld, regardless of how the battlefield evolves (Jonathan Horowitz, [57:10]).
- The rise of cyber does not fundamentally alter ICRC’s commitment to impartial humanitarian aid.

5. Takeaway “Bumper Stickers”

[59:02–59:46]

Adam Hickey: “I used it on the question—that’s my bumper sticker.”
(Refers to the need for clarity on the “ask”).
Laurie Blank:

“Beware of the line between engaging and all of a sudden bearing attribution and responsibility for.”
Jonathan Horowitz:

“The private sector has protections under international humanitarian law. It can lose those protections, and it also has obligations. Read the Geneva Conventions, read the Additional Protocols, and give the ICRC a call if you have any questions.”

Notable Quotes and Memorable Moments

On the perils of leaving out legal compliance:

"Cutting out legal, for example, would be my number one advice for what not to do if you’re looking for cooperation."
—Adam Hickey ([09:59])
On shifting realities in conflict:

"Are employees of technology companies engaging in activities that would...constitute direct participation in hostilities?...It could be a life or death conversation."
—Jonathan Horowitz ([31:12])
On reputational and legal risk:

"The flip side of that attribution question is when are the actions...of the folks we’ve been talking about now somehow be attributable to the state on our side? And that’s an equally important...piece."
—Laurie Blank ([22:41])
On the need for clarity:

"Plan to communicate transparently in the crisis or in conflict, it’s going to have to look a lot different from the fairly vague...that comes over in steady state periods, sometimes outside of procurement."
—Adam Hickey ([51:17])
On visibility in cyber conflict:

"You can see the bridge, you can see the hill... You can’t see when there’s overlap in the cyber world."
—Laurie Blank ([47:50])

Key Timestamps

Setting the Baseline: 05:38–15:25
Crisis Phase/Attribution: 19:13–28:57
Armed Conflict & Legal Questions: 35:00–47:50
Building Partnerships & Takeaways: 50:17–59:46

wavePod

Lawfare Archive: CYBERCOM Legal Conference: The Role of the Private Sector in Conflict

Powered by Wave AI

Summary

Lawfare Archive: CYBERCOM Legal Conference – The Role of the Private Sector in Conflict

Episode Overview

Key Discussion Points and Insights

1. Setting the Stage: The Pre-Conflict Baseline

2. Crisis Escalation: Blurred Lines and New Responsibilities

3. Armed Conflict: Direct Involvement and New Legal Realities

4. Building Durable Public-Private Partnerships

5. Takeaway “Bumper Stickers”

Notable Quotes and Memorable Moments

Key Timestamps

Conclusion

Summary

Lawfare Archive: CYBERCOM Legal Conference – The Role of the Private Sector in Conflict

Episode Overview

Key Discussion Points and Insights

1. Setting the Stage: The Pre-Conflict Baseline

2. Crisis Escalation: Blurred Lines and New Responsibilities

3. Armed Conflict: Direct Involvement and New Legal Realities

4. Building Durable Public-Private Partnerships

5. Takeaway “Bumper Stickers”

Notable Quotes and Memorable Moments

Key Timestamps

Conclusion